| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 10 Oct 2021 17:12:30 +0800
From: Teng Qi <starmiku1207184332@...il.com>
To: lorenzo.bianconi83@...il.com, jic23@...nel.org, lars@...afoo.de
Cc: linux-iio@...r.kernel.org, linux-kernel@...r.kernel.org,
islituo@...il.com, baijiaju1990@...il.com,
Teng Qi <starmiku1207184332@...il.com>,
TOTE Robot <oslab@...nghua.edu.cn>
Subject: [PATCH] iio: imu: st_lsm6dsx: Fix an array overflow in st_lsm6dsx_set_odr()
The length of hw->settings->odr_table is 2 and ref_sensor->id is an enum
variable whose value is between 0 and 5.
However, the value ST_LSM6DSX_ID_MAX (i.e. 5) is not catched properly in
switch (sensor->id) {
If ref_sensor->id is ST_LSM6DSX_ID_MAX, an array overflow will ocurrs in
function st_lsm6dsx_check_odr():
odr_table = &sensor->hw->settings->odr_table[sensor->id];
and in function st_lsm6dsx_set_odr():
reg = &hw->settings->odr_table[ref_sensor->id].reg;
To fix this possible array overflow, ref_sensor->id should be checked
first. If it is greater than or equal to 2, the function
st_lsm6dsx_set_odr() returns -EINVAL.
Reported-by: TOTE Robot <oslab@...nghua.edu.cn>
Signed-off-by: Teng Qi <starmiku1207184332@...il.com>
---
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
index db45f1fc0b81..edf5d33dd256 100644
--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
@@ -1308,6 +1308,10 @@ st_lsm6dsx_set_odr(struct st_lsm6dsx_sensor *sensor, u32 req_odr)
break;
}
+ if (ref_sensor->id >= 2) {
+ return -EINVAL;
+ }
+
if (req_odr > 0) {
err = st_lsm6dsx_check_odr(ref_sensor, req_odr, &val);
if (err < 0)
--
2.25.1
Powered by blists - more mailing lists